Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a taxonomy and methodology for digital forensics that is poorly defined and confusing to computer security experts and law enforcement.

Network forensics, a subdiscipline of digital forensics, deals with computer network data that has become evidence. Network forensics can be used to check an organization's networks for vulnerabilities and thus keep them secure, and it can be used in the context of traditional law enforcement and the court system.

If no standards exist, researchers can't test new software to see if it meets those standards

We must anticipate that in the near future, network forensics will be a common component of trial cases. As a result, having credible standards for network forensics is vital to the continued speed and fairness of the US judicial system.

As forensic evidence, network data is slippery to collect: It resides neither with its sender nor with its receiver. Usually it is archived only by network service providers or by law enforcement. Who owns such evidence is one of numerous legal dilemmas created by the lack of standards. These issues could be resolved were standards bodies to create formal taxonomies, procedures and tools for network forensics. The US computer security community should assist in the creation and maintenance of formal standards. The most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.

In the absence of formal standards for network forensics standards, many de facto standards and best practices have been implemented. In fact, de facto standards have been in use since network forensics has been part of the corporate and legal landscape.

The most general best practices in network forensics concern preservation, identification, extraction, documentation and interpretation. Each component of these best practices is broken down into smaller, commonsense procedures. For instance, the preservation best practice recommends working in teams and collecting maximum amounts of data. There's also an evidence-collection chronology best practice: Focus on network danger first, then collect the data. Although these practices represent a fraction of the network security corpus, they do signify a core knowledge base.

Lack of standards also creates recursive problems: If no standards exist, researchers can't test new software to see if it meets those standards. Nor can they create benchmarking tools to test software for standards applicability. In fact, researchers at the US National Institute of Standards and Technology (NIST) complained their methodology for testing tools for network forensics "was complicated by the lack of standards or specifications that describe what forensic tools should do", and subsequently have not revised their research.

Learning from the EU

In 2003 the European Union released the world's first network forensics standards, which it intended all EU nations to implement. These standards were clearly presented and strongly promoted, but they were unsuccessful nonetheless. Indeed, the EU's computer security community appears to have rejected or ignored these forensic tools, as well as the call to use them.

How did this happen? The solution could lie with the standards themselves. The EU's recommended forensic applications were Web-based freeware, written in XML. This design was well intentioned, even practical, given the EU member nations' varying rules of evidence. XML is slow, however, and quickly has become outmoded; a Web-based application's value depends on its browser and network connection; and as a way to gather evidence in a high-stakes judicial case, freeware is a dicey solution.

The corporate argument that "we shouldn't have to pay for commercial network forensic tools if we won't ever need them", theoretically is certainly valid. But in practice, if an organization's network data is subpoenaed, that organization should be prepared to present its best possible forensic evidence.

Commercial network forensic and analysis tools are common now, and need not be highly elaborate or expensive to provide users with complete and easy-to-understand data. Manufacturers of forensic and visibility tool kits should partner with standards bodies such as NIST to create functional and lasting standards for network forensics.

Network forensics is only growing more important. Standardized tools and methods will ease the job for network admins, researchers and expert witnesses, and will be an improvement to the judicial system.

Rosenberg is Sandstorm's editorial communications coordinator. Reach her at beth@sandstorm.net.